kubernetes-sigs
diff --git a/‎api/v1beta1/types.go
+3-2 b/‎api/v1beta1/types.go
+3-2
diff --git a/‎api/v1beta1/types_template.go
+3-2 b/‎api/v1beta1/types_template.go
+3-2
diff --git a/‎api/v1beta1/zz_generated.deepcopy.go
+4-4 b/‎api/v1beta1/zz_generated.deepcopy.go
+4-4
diff --git a/‎azure/scope/cluster.go
+9-14 b/‎azure/scope/cluster.go
+9-14
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml
+4-3 b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml
+4-3
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_azureclustertemplates.yaml
+4-4 b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_azureclustertemplates.yaml
+4-4
diff --git a/‎docs/book/src/self-managed/custom-vnet.md
+5-5 b/‎docs/book/src/self-managed/custom-vnet.md
+5-5
diff --git a/‎templates/cluster-template-clusterclass-rke2.yaml
+231 b/‎templates/cluster-template-clusterclass-rke2.yaml
+231
@@ -111,9 +111,10 @@ type NetworkSpec struct {
 	// +optional
 	ControlPlaneOutboundLB *LoadBalancerSpec `json:"controlPlaneOutboundLB,omitempty"`
 
-	// AdditionalControlPlaneLBPorts is the configuration for the additional inbound control-plane load balancer ports
+	// AdditionalAPIServerLBPorts specifies extra inbound ports for the APIServer load balancer.
+	// Each port specified (e.g., 9345) creates an inbound rule where the frontend port and the backend port are the same.
 	// +optional
-	AdditionalControlPlaneLBPorts []LoadBalancerPort `json:"additionalControlPlaneLBPorts,omitempty"`
+	AdditionalAPIServerLBPorts []LoadBalancerPort `json:"additionalAPIServerLBPorts,omitempty"`
 
 	NetworkClassSpec `json:",inline"`
 }
 
@@ -76,9 +76,10 @@ type NetworkTemplateSpec struct {
 	// +optional
 	ControlPlaneOutboundLB *LoadBalancerClassSpec `json:"controlPlaneOutboundLB,omitempty"`
 
-	// AdditionalControlPlaneLBPorts is the configuration for the additional inbound control-plane load balancer ports
+	// AdditionalAPIServerLBPorts is the configuration for the additional inbound control-plane load balancer ports
+	// Each port specified (e.g., 9345) creates an inbound rule where the frontend port and the backend port are the same.
 	// +optional
-	AdditionalControlPlaneLBPorts []LoadBalancerPort `json:"additionalControlPlaneLBPorts,omitempty"`
+	AdditionalAPIServerLBPorts []LoadBalancerPort `json:"additionalAPIServerLBPorts,omitempty"`
 }
 
 // GetSubnetTemplate returns the subnet template based on the subnet role.
 
@@ -1030,15 +1030,9 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
 
 	subnet := s.ControlPlaneSubnet()
 
-	if subnet.SecurityGroup.SecurityRules == nil {
-		subnet := s.ControlPlaneSubnet()
-
-		s.AzureCluster.Spec.NetworkSpec.UpdateControlPlaneSubnet(subnet)
-	}
-
-	if subnet.GetSecurityRuleByDestination("22") == nil {
-		subnet := s.ControlPlaneSubnet()
-		subnet.SecurityGroup.SecurityRules = append(s.ControlPlaneSubnet().SecurityGroup.SecurityRules,
+	missing_ssh := subnet.GetSecurityRuleByDestination("22") == nil
+	if missing_ssh {
+		subnet.SecurityGroup.SecurityRules = append(subnet.SecurityGroup.SecurityRules,
 			infrav1.SecurityRule{
 				Name:             "allow_ssh",
 				Description:      "Allow SSH",
@@ -1051,14 +1045,13 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
 				DestinationPorts: ptr.To("22"),
 				Action:           infrav1.SecurityRuleActionAllow,
 			})
-
-		s.AzureCluster.Spec.NetworkSpec.UpdateControlPlaneSubnet(subnet)
 	}
 
 	port := strconv.Itoa(int(s.APIServerPort()))
-	if subnet.GetSecurityRuleByDestination(port) == nil {
-		subnet := s.ControlPlaneSubnet()
-		subnet.SecurityGroup.SecurityRules = append(s.ControlPlaneSubnet().SecurityGroup.SecurityRules, infrav1.SecurityRule{
+
+	missing_api_port := subnet.GetSecurityRuleByDestination(port) == nil
+	if missing_api_port {
+		subnet.SecurityGroup.SecurityRules = append(subnet.SecurityGroup.SecurityRules, infrav1.SecurityRule{
 			Name:             "allow_apiserver",
 			Description:      "Allow K8s API Server",
 			Priority:         2201,
@@ -1070,7 +1063,9 @@ func (s *ClusterScope) SetControlPlaneSecurityRules() {
 			DestinationPorts: ptr.To(port),
 			Action:           infrav1.SecurityRuleActionAllow,
 		})
+	}
 
+	if missing_ssh || missing_api_port {
 		s.AzureCluster.Spec.NetworkSpec.UpdateControlPlaneSubnet(subnet)
 	}
 }
 
@@ -658,9 +658,10 @@ spec:
                 description: NetworkSpec encapsulates all things related to Azure
                   network.
                 properties:
-                  additionalControlPlaneLBPorts:
-                    description: AdditionalControlPlaneLBPorts is the configuration
-                      for the additional inbound control-plane load balancer ports
+                  additionalAPIServerLBPorts:
+                    description: |-
+                      AdditionalAPIServerLBPorts specifies extra inbound ports for the APIServer load balancer.
+                      Each port specified (e.g., 9345) creates an inbound rule where the frontend port and the backend port are the same.
                     items:
                       description: LoadBalancerPort specifies additional port for
                         the API server load balancer.
 
@@ -520,10 +520,10 @@ spec:
                         description: NetworkSpec encapsulates all things related to
                           Azure network.
                         properties:
-                          additionalControlPlaneLBPorts:
-                            description: AdditionalControlPlaneLBPorts is the configuration
-                              for the additional inbound control-plane load balancer
-                              ports
+                          additionalAPIServerLBPorts:
+                            description: |-
+                              AdditionalAPIServerLBPorts is the configuration for the additional inbound control-plane load balancer ports
+                              Each port specified (e.g., 9345) creates an inbound rule where the frontend port and the backend port are the same.
                             items:
                               description: LoadBalancerPort specifies additional port
                                 for the API server load balancer.
 
@@ -146,22 +146,22 @@ spec:
           name: my-subnet-cp-nsg
           securityRules:
             - name: "allow_ssh"
-              description: "Deny SSH"
+              description: "allow SSH"
               direction: "Inbound"
               priority: 2200
               protocol: "*"
               destination: "*"
               destinationPorts: "22"
               source: "*"
               sourcePorts: "*"
-              action: "Deny"
+              action: "Allow"
             - name: "allow_apiserver"
-              description: "Allow Custom K8s API Server"
+              description: "Allow K8s API Server"
               direction: "Inbound"
               priority: 2201
               protocol: "*"
               destination: "*"
-              destinationPorts: "1234" # Custom API server URL
+              destinationPorts: "6443"
               source: "*"
               sourcePorts: "*"
               action: "Allow"
@@ -197,7 +197,7 @@ spec:
       name: my-vnet
       cidrBlocks:
         - 10.0.0.0/16
-    additionalControlPlaneLBPorts:
+    additionalAPIServerLBPorts:
       - name: RKE2
         port: 9345
     subnets: